POSTED AT 10:02 AM 28-12-2018

Defending cyber enemy with Adversarial Attack Simulation Exercises

Organisations such as Financial Institutions (FIs) are experiencing very rapid growth in cyber security attacks in scope, complexity and sophistication. In order to face this advance risk, FIs set up layers of defensive measures, solutions and controls to diminish their exposure to attacks and develop their response readiness.

Adversarial Attack Simulation Exercises (AASE), often referred to as Red Team (RT) exercises, are authorised, prearranged, risk-managed and object-oriented cyber security assessments that simulate highly sophisticated targeted attacks against an organisation. Measuring and augmenting the resilience of FIs against sophisticated attacks are the objectives of AASE. FIs are motivated to generate setups for their attack simulation by finding the most likely adversaries and the attack vectors through threat modelling.

This will help to allocate their resources efficiently to the unique threats they are facing. The main purpose of these exercises is to measure the capability of a FI to avoid, identify and react to cyber-attacks that may influence Critical Functions or business stability. In order to accomplish this, these exercises simulate a full end-to-end cycle of a cyber security attack, duplicating actions and procedures utilised by real world adversaries with a high level of intent, sophistication and ability.

AASEs are designed to challenge a FI’s cyber security defences by modelling and then executing attacks based on real adversaries’ Techniques, Tactics and Procedures (TTP). Scenarios may target the FI’s People, Processes and Technology with the intent to compromise organisation’s Critical Functions (CF) and designed to be as realistic as possible.

Measuring the organisation’s capability to avoid, identify and respond to cyber-attacks and discover likely weaknesses that may not be identified through standard vulnerability and penetration testing methodologies is the primary goal of this exercise.

Due to the rapid growth in large scale cyber-attacks experiencing virtually every month, companies have initiated shifting their security defence paradigm towards gaining more visibility into the way attacks arise, and how they become targets. Most organisations already have a better understanding of penetration testing (pen-test) and have a mature security-assessment program that employs both vulnerability assessment and periodic penetration tests.

Penetration testing is a practical and proactive tool that can be used by an organisation (hopefully before any security compromise) to identify shortfalls within the controls protecting business-critical IT assets.

A vulnerability assessment is conducted during a typical pen-test, in which potential weaknesses within the system are revealed and listed. The type of attack performed is less vital than the type of threat actor being simulated in a red team assessment, by contrast. It is one of the major distinguishing factors of this Red Team Assessment. The open-source intelligence gathering methodologies are used to recognise information about an organisation that is available within the public domain, and which may be of use to a potential attacker.

This may consist of information that would be useful in performing phishing-style attacks (such as email address format and lists of employees extrapolated from social network sites), or lists of physical sites owned by the target organisation. An appropriate, physical reconnaissance may also be undertaken at this point within the assessment, in order to identify times of heavy footfall through the entrance and exits of a targeted building, and to identify the best windows of time of which to attempt physical breach attacks and to identify publicly-accessible areas that staff frequent, such as smoking areas.

While red teaming draws on elements of the pen-test methodology, the scope is nearly always wider, and for the most mature organisations, nearly unlimited. This permits the exercise to discover the real-world risks that the organisation is exposed to from a threat actor who is only interested in achieving their goal.

According to this, Red Teaming can be utilised to ‘snapshot’ the security posture of the organisation from the perspective of the threat acting against the organisation. This snapshot helps to identify potential gaps in the defence between the systems that may previously have been subjected to individual penetration tests, and at the same time it allows the network defenders an opportunity to explore and assess their detection and response capabilities against realistic attack scenarios.

The Red Team professionals of eCybersec Ltd. brings their distinctive approach into this whole assessment life cycle to uncover potential threats and protect customer IT infrastructure. Their depth of knowledge on this area has been able to exploit highly complex vulnerabilities and domain expertise in these emerging and critical technologies enables them to provide comprehensive recommendations to improve security postures of organisations.

As stated by S. Balasuriya, “Over the last 12 years, determined advanced threat actors will find a way into networks to carry out intellectual property theft, destroy systems, ransom or steal data, or conduct espionage and ultimately maintain their presence for as long as possible. With an intelligence-led approach, eCybersec Red Team Operations test organisations to their limits by simulating attacks using the latest available techniques of the most successful advanced threat actors around the world in order to improve detection and response capabilities. We have even built our own set of tools to emulate certain attack to test your detection capabilities against a specific threat actor.”